Network Working Group S. Kelly
Request for Comments: 4772 Aruba Networks
Category: Informational December 2006
Security Implications of Using the Data Encryption Standard (DES)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2006).
Abstract
The Data Encryption Standard (DES) is susceptible to brute-force
attacks, which are well within the reach of a modestly financed
adversary. As a result, DES has been deprecated, and replaced by the
Advanced Encryption Standard (AES). Nonetheless, many applications
continue to rely on DES for security, and designers and implementers
continue to support it in new applications. While this is not always
inappropriate, it frequently is. This note discusses DES security
implications in detail, so that designers and implementers have all
the information they need to make judicious decisions regarding its
use.
Kelly Informational [Page 1]RFC 4772 DES Security Implications December 2006Table of Contents
1. Introduction ....................................................3
1.1. Executive Summary of Findings and Recommendations ..........4
1.1.1. Recommendation Summary ..............................4
2. Why Use Encryption? .............................................5
3. Real-World Applications and Threats .............................6
4. Attacking DES ...................................................8
4.1. Brute-Force Attacks ........................................9
4.1.1. Parallel and Distributed Attacks ...................10
4.2. Cryptanalytic Attacks .....................................10
4.3. Practical Considerations ..................................12
5. The EFF DES Cracker ............................................12
6. Other DES-Cracking Projects ....................................13
7. Building a DES Cracker Today ...................................14
7.1. FPGAs .....................................................15
7.2. ASICs .....................................................16
7.3. Distributed PCs ...........................................16
7.3.1. Willing Participants ...............................17
7.3.2. Spyware and Viruses and Botnets (oh my!) ...........18
8. Why is DES Still Used? .........................................19
9. Security Considerations ........................................20
10. Acknowledgements ..............................................21
Appendix A. What About 3DES? .....................................22
A.1. Brute-Force Attacks on 3DES ...............................22
A.2. Cryptanalytic Attacks Against 3DES ........................23
A.2.1. Meet-In-The-Middle (MITM) Attacks ..................23
A.2.2. Related Key Attacks ................................24
A.3. 3DES Block Size ...........................................25
Informative References ............................................25
Kelly Informational [Page 2]RFC 4772 DES Security Implications December 20061. Introduction
The Data Encryption Standard [DES] is the first encryption algorithm
approved by the U.S. government for public disclosure. Brute-force
attacks became a subject of speculation immediately following the
algorithm's release into the public sphere, and a number of
researchers published discussions of attack feasibility and explicit
brute-force attack methodologies, beginning with [DH77].
In the early to mid 1990s, numerous additional papers appeared,
including Wiener's "Efficient DES Key Search" [WIEN94], and "Minimal
Key Lengths for Symmetric Ciphers to Provide Adequate Commercial
Security" [BLAZ96]. While these and various other papers discussed
the theoretical aspects of DES-cracking machinery, none described a
specific implementation of such a machine. In 1998, the Electronic
Frontier Foundation (EFF) went much further, actually building a
device and freely publishing the implementation details for public
review [EFF98].
Despite the fact that the EFF clearly demonstrated that DES could be
brute-forced in an average of about 4.5 days with an investment of
less than $250,000 in 1998, many continue to rely on this algorithm